Will President Obama finally rationalize the 47 different state laws governing data breaches? The President says he will introduce legislation to create a single national standard designed to protect Americans from identity theft.
In the wake of breaches affecting Sony, Target, and Home Depot, just to name a few, data breaches seem inevitable these days. 47 states have their own laws which specify when and how the breach of personal information must be disclosed to affected individuals. These laws can greatly differ. Any company collecting personal information should have a breach notification plan in place so it is not scrambling to read and interpret numerous laws after a breach (which is already an anxiety-producing situation). Most states say the notice to individuals (and sometimes state attorney generals and credit reporting agencies) must be provided expediently or as quickly as possible. Some states, such as Florida, say the notice must be sent within 45 days. However, there is an important caveat. Many states recognize the need for companies to take time to determine the scope of the breach, implement steps to stop the breach, and coordinate with law enforcement. In my experience, this becomes a careful balancing act. Companies want to notify their consumers as soon as possible, but it takes time to conduct the computer forensics necessary to determine who is affected and what information was compromised. In addition, no one wants to hinder a police or other investigation if there is a chance of catching the hacker and learning even more about the breach as a result.
The President proposes that companies notify consumers of a breach within 30 days, regardless of what their state laws require. It’s not clear whether the important caveats for breach investigation will remain in place.